The Regulation, which came into effect in May 2018, promised to revolutionise data protection in the EU, giving supervisory authorities the power to issue fines of up to £20 million or 4% of an organisation’s annual global turnover (whichever is greater).

The third-party IT company that managed the database spotted an anomaly in September 2018 and contacted Marriott.

The hotel chain investigated the incident, initially reporting that as many as 500 million customers were affected. However, it later downgraded that figure to 383 million.

Most of the compromised records were customers’ names and contact details. However, the crooks also accessed 25.55 million passport numbers, of which 5.25 million were unencrypted, and 8.6 million payment card records, all of which were unencrypted.

The information includes 30 million records belonging to EU residents.

What next?

Marriott International’s president, Arne Sorenson, said: “We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been co-operating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.

“We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”

About The Author

Luke Irwin is a writer for IT Governance. He has a master’s degree in Critical Theory and Cultural Studies, specialising in aesthetics and technology, and is a one-time winner of a kilogram of jelly beans.